Hospital Equipment Infected With Conficker
nandemoari writes "Recently, the Conficker/Downadup worm infected several hundred machines and critical medical equipment in an undisclosed number of US hospitals.
The attacks were not widespread; however, Marcus Sachs, director of the SANS Internet Storm Center, told CNET News that it raises the awareness of what we would do if there were millions of computers infected in hospitals or in critical infrastructure locations.
It's not clear how the devices (including heart monitors, MRI machines and PCs) got infected. Infected computers were running Windows NT and Windows 2000 in a local area network (LAN) that wasn't supposed to be Internet accessible, but the LAN was connected to one with direct Internet access.
A patch was released by Microsoft last October that fixes the problem, but the computers infected were reportedly too old to be patched."
Medical equipment has a very long lifespan. Many devices for measurement and monitoring are used for 10 to 20 years before replacement. The general policy is "if it works, don't fix it and, more important, do not touch it".
The real problem is that most suppliers of equipment are reluctant to support any type of patches. Many of the suppliers explicitly state that the machines may not be changed in any way (and that includes patching the OS) or you will lose all guarantee and support.
It's not like they can just upgrade the computer. The computer is running software that goes with specialized equipment. They'd have to upgrade everything if they upgraded anything and with that you could easily be talking millions of dollars. That might not be really needed as the machine should run just as well as it did with they bought it if it hasn't broke. If it's a smaller hospital, they might not have the budget to replace non-broken machines that still preform within needed specs, especially in this economic climate. Add in that some of these machines need to be FDA tested and are only supported by the manufactuer and that makes it even more expensive and harder to upgrade. Then, on many of these machines, the users might not even know they're running on NT4 as the software they run takes up the entire screen and they never actually interact with Windows at all.
I work in healthcare and I'm not surprised at all. Within the last year we just got rid of a Win95 system that was still talking over Novell networking, our Vax system, and a bunch of Sun Sparq stations. We still have plenty of Win2k and probably some WinNT4 around. We also have one of the most advanced set ups in the country, but legacy systems still exist for lots of reasons. First off, if it still works, management is not likely to want to get rid of it unless you make a good case for a good ROI. They're all old and aren't used to replacing major hospital systems that aren't broke especially if the new system doesn't offer any advantages. Budgets are always a problem because if the department isn't bringing in enough money to warrant new equipment, they might not get it. Then there are the vendors. perhaps GE, Fuji, or Cerner are happy with their old system or wants to sell you lots of stuff you don't want or need to replace one bit that is still running on old server tech just fine, so you effectively can't upgrade even if you wanted to.
For that matter, why is it running a general-purpose OS like Windows?
Ease of development, particularly UI support for rich user interaction and feedback.
Most medical systems I've worked on have two OS's: a relatively hard realtime system that's really close to the hardware, and a second system (Linux or Windows) that's close to the user. For some applications the general purpose OS is used as a soft realtime system and talks to all the hardware via USB or a framegrabber. Only very simple systems are pure embedded these days.
Given the complexity of computing that some of these machines do this makes perfect sense: an embedded, realtime OS is just not what you want to be dealing with when trying to develop richly representational software. Think imaging systems and computer-assisted surgery systems, which often have a lot of analysis and image processing built in, including heavy user interaction, in realtime, in the OR.
Intra-op ultrasound is routine in cardiac surgery (and yes, sometimes systems hang and have to be rebooted while the patient is on the table with their heart stopped...) Intra-op fluoroscopy is routine in some procedures as well, particularly in ortho.
The problem is that people have come to expect features that can't be easily delivered without a general purpose OS, and the issues that come with that are pretty much invisible to anyone who would be likely to scream about it, including the FDA. Users get used to periodic failures and work around them, just like desktop users do.
Blasphemy is a human right. Blasphemophobia kills.
Indeed, I work for an OEM on the imaging (X-Ray) side of the house. My system(s) do get patched regularly. The users are given specific instruction not to "Surf the web".
These systems are usually on a network segment dedicated strictly to imaging yet somehow I manage to find all fashon of virus (Most recently Conficker) games and saved email attachments on the Desktop.
The FDA is very strict about how these systems are to be upgraded and serviced but patching is a non issue.
My company has a simple solution to the virus issue though, If the network admin allows the cluster to get infected, we will gladly remove the infection, for a price.
If I have only had a penny for every time I have heard "It's not my network, check your equipment"